Introduction
The use of telematics began at Agriculture and Agri-Food Canada (AAFC) in 2019 when National Resources Canada (NRCAN) purchased telematics devices and issued them to various federal institutions, including AAFC; an initiative promoting activities to Green Government Operations. Since that time, AAFC has used the telematics devices in over 90% of its fleet vehicles (as of September 2023). Matching the telematics data, such as speeding, with driver data to determine employee compliance has not occurred.
Since installing the telematics devices, AAFC’s National Fleet Management Office (NFMO) began noticing alarming driver behaviour, predominantly speeding, that is in non-compliance of AAFC’s Departmental Policy on Motor Vehicles and local traffic laws. Consequently, and in collaboration with AAFC Labour Relations and AAFC Legal Services Unit (LSU), AAFC decided to institute a change to its practices – to use the telematics data to monitor employee compliance with its Departmental Policy on Motor Vehicles, which, in part, mandates staff to obey local traffic laws. In fact, AAFC has a responsibility under Part II of the Canada Labour Code (Occupational Health and Safety) to ensure the health and safety (at work) of every person employed by the department. Therefore, to ensure it is compliant with the health and safety requirements in Part II of the Canada Labour Code, the use the telematics data for this new administrative purpose is not just a desire of the Department, but an obligation.
While AAFC intends to proceed with the new consistent use as described above, AAFC has decided to delay deployment until such time that this Privacy Impact Assessment (PIA) can be completed and the risks and recommendations considered.
This PIA describes the use of telematics devices, the systems storing the data, and the process of NFMO and regional managers to match telematics data, predominantly speeding in excess of 130 km/h with driver data.
Objective
This PIA has been authored to assess the upcoming new uses of personal information collected from AAFC fleet vehicles.
Description
Pursuant to the Directive on Privacy Impact Assessment, the use of telematics data and matching that data with driver information is considered a new consistent use of the data collected from the telematics device. Global Positioning System (GPS) data is a focus of this PIA due to the types of personal information which could be garnered from that data. For these reasons, a PIA was deemed to be necessary.
The use of telematics data is a new consistent use, through the submission of this PIA, AAFC is notifying the Privacy Commissioner as required under ss. 9(4) of the Privacy Act.
The risks identified in the PIA have been assessed by AAFC senior management who developed a robust action plan to eliminate or reduce the risks to an acceptable level. While some work is needed to address privacy risks, AAFC is well positioned to deploy the new consistent use related to telemetric data use and employee monitoring.
Conclusion
In its Directive on Privacy Impact Assessment, Treasury Board has expressed that the PIA must include a completed risk identification and categorization section and make public those risk ratings.
The PIA identified privacy risks related to
- a lack of documented procedures
- a lack of awareness of the new consistent use
- inadequate privacy notice and consent
- unidentified retention and disposal standards
AAFC’s National Fleet Management and the Privacy Compliance Unit has identified mitigations to address these risks.
For further information please contact the Access to Information and Privacy Office.